For most medical practitioners the full concept of Disaster Recovery Planning (DRP) is sadly not fully understood. This often comes from a very weak approach to Risk Management, since the two concepts are very interrelated. [ By the way: HIPAA does calls for both, Disaster Recovery Plan see 164.308(a)(7)(ii)(B) and Risk Management see 164.308(a)(1)(ii)(B) ]
So what is Disaster Recovery Planning?
Disaster recovery planning (DRP) is critical to the success of business continuity, no they are not the same in fact DRP is a part of Business Continuity Planning (BCP). A disaster recovery plan is composed of three phases:
- preparedness,
- response, and
- recovery
[ Cause for failure: ]
Without complete management/owner by-in or commitment, your BCP and DRP are destined for failure. I make this statement up front because too often medical practitioners, do not want to get involved with the process, or do not understand the process. Then sadly when a disaster strikes they start making decisions out of panic, because they do not know or follow the plan.
Also to understand the relationship between Business Continuity and Disaster Recovery, let us look at the overall components of a Business Continuity Plan (perhaps in another blog I’ll talk more about BCPs)
- Risk Assessment
- Impact Study / Analysis
- Recovery Plans / Strategies
- Implementation and Awareness
- Testing or Exercise Strategies
- Make necessary adjustments
Both DRPs and BCPs are cycles: Plan , Decide , Implement , Test , Maintain , Repeat.
The two most commonly seen failure points in the Disaster Recovery Plan cycle are: Testing and Repeat.
[ Key to Success: ]
Many organizations run through the plan once and stop after Implementation. Preparedness is key to surviving any disaster. Depending on the sources between 40% to 60% of small businesses that do not have a working disaster recovery plan are destined to close within 2 years, after experiencing the disaster. Sadly, this is preventable, by regular testing and annually repeating of the DRP cycle.
The most effective testing method is what is called a Tabletop Exercise.
Tabletop Exercises start with a scenario, which leads to a sequence of possible events that may occur, leading to a disaster, often something minor like a data breach with a few twists. However, they can also lead to major disasters like a hurricane that has destroyed half the building. The tabletop exercise is often led by a single individual who only shares factual information. Members of the organization ask questions and if relevant or related the leader answers the questions with more information. The participating members then “play act” the implementation of the organization’s DRP based upon the event(s) as they unfold. This method tests multiple aspects:
- Can the team (participating members) work together.
- Can they see answers while under pressure (well preceived pressure)
- Can they use the DRP according to the plan itself, do they know what actions or decisions need to be taken
- Following the organization’s actual current plan, policies and procedures can the disaster be minimized or reduced
- Afterwards the following questions can be assessed: Was the plan effective? Does it require modification? Was the plan executed to early or to late? Could things have been done better?
The outcomes of the questions can determine a lot about the plan and the organizations preparedness should a similar disaster arise. A much easier and cost effective solution, than waiting for a disaster to occur and then finiding out that the plan fails while in the middle of a real disaster.
Prepare = Plan = Test ==> Be Ready
My 2c from small town America
Loading ...